How do I prevent an email address from being submitted for password reset?

Hi, I’d like for my WP users to only be able to reset their passwords if they enter their username in the reset field. By default, they have they option to enter either a username or an email address. Do I have to use Javascript or is there another way? If Javascript is the only option, does anyone know what the simplest script would be?

  • Vaughan
    • Support/SLS MockingJay

    hiya

    thanks for posting.

    that’s part of the WP core, unfortunately, i don’t think you can do this without hacking the WP core itself, which should be avoided at all costs.

    is there any detrimental reason you don’t want email address to be used?

    hope this helps.

    thanks.

  • hccdev
    • Flash Drive

    Yes, several of my users have the same email address (because they can only accept internal email) so if they were to reset the password by email address than it would send a reset notification to each user with that email address.

    I figured it was part of the core, but I should be able to use javascript to prevent that field from accepting entries that contain an @ symbol, right?

  • Vaughan
    • Support/SLS MockingJay

    hiya

    i wasn’t aware that wordpress could have 2 users with the same email address. that definitely isn’t the way the system works for me.

    that could have serious other side-effects if you have modified the core to allow it to accept users with the same address.

    thanks.

  • hccdev
    • Flash Drive

    I have never modified the WP core files. It’s just a plugin. The users who share email addresses can only view private content. They can’t post or enter comments. It should be fine. Javascript seems like the safest option I guess.

  • Vaughan
    • Support/SLS MockingJay

    hiya

    I understand now, wasn’t aware there was a plugin to do that.

    without modifying the wp-signup functions in the core, it does look like javascript is the better option. unfortunately, i won’t be able to help with the javascript as that’s a bit out of my league.

    thanks.

  • Rich
    • Flash Drive

    Hi

    I ran into a similar conundrum with this kind of functionality.

    I stopped looking into it when I realised that if my users had the same email address and one requested a password reset, then surely all users will see the reset email anyway.

    Did you find a workaround for this?

  • hccdev
    • Flash Drive

    I have it setup so that all users sharing the same email address use an email address managed by a department head. That person then forwards the password reset email along to the appropriate user from there. When a user enters his/her Username, it sends the notification and includes the username so the department head knows who to forward along to.

    The only reason I’m doing it this way is because some of the users can only receive email internally. The department head is able to forward the password reset internally.

  • hccdev
    • Flash Drive

    I tried this, but it didn’t work:

    function my_check_user_login() {
    if (strpos($user_login,'@') !== false);
    // if (strpos($user_data,'@') !== false);
    return new WP_Error('no_password_reset', __('This Username is invalid'));
    }

    add_action( 'login_form_lostpassword', 'my_check_user_login' );

  • hccdev
    • Flash Drive

    On line 191 of wp-login.php is this code:

    $user_data = get_user_by( 'email', trim( $_POST['user_login'] ) );

    if I change it to

    $user_data = get_user_by( '', trim( $_POST['user_login'] ) );

    it prevents emails from being entered to reset the password.

    Would prefer not to have to modify the wp-login.php code, but if this is the only way, then it’s a simply mod to keep track of in an upgrade.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.